Gonna only say this once. Stop building your forts with only one wall and one gate. Build many walls to cross, many gates to open, observe the user through each of these.
lol op assumes passkeys or pw's are the only lock being used to protect things. Well from a security implementation standpoint...I assume someone either you on the rust end or someone on the yubikey end is already a weak link and your password is probably already compromised. But thats ok.
TBH from a security standpoint, yeah I expect your PW to be correct, but I also do assume that its not secret. Its only part of the parcel. I expect about a dozen other metrics to be correct too pending on how secure you need your stuff or how important the security is. If you don't tick most of these if not all of these boxes. I don't care if your password or passkey is right. Your not getting in.
The pincode>push button on yubikeys is part of this. Your IP, your device ID, your TPM trusted data paths, the time of day your trying to make access, the frequency of it, the country of origin, the target your trying to get into, the wifi you are accessing this via....are all part of this. Stop being so old school about security and propping it up off one point of failure.
Now this bit is going to be the real hard biscuit to bite for alot of folks, but Yes I get that its harder in web because you probably don't have the physical end of things under enough control that you can use those for your security checks/metrics as they are under user control, but maybe don't store super piss off secret data that needs to stay secret in systems like that. If your web app gets to X level of personal data/could be involved in X level of harm to society or its users if breached. Don't let people sign up without mfa, hardware keys and so on. Force users to detail more info about their fixed locations and regular usage areas and judge their access security on that.
tldr I dont care if your PW is compromised its 1/X keys needed. I assume its compromised. I dont assume all other X keys are tho.
> Gonna only say this once. Stop building your forts with only one wall and one gate. Build many walls to cross, many gates to open, observe the user through each of these.
Obviously that's better but if you make the user jump through too many hoops they're just going to pick someone else to do business with.
This is why Fido is a good idea, it's not only more secure but also easier. In the security world that's kinda like magic, usually you're end up trading one for the other.
lol op assumes passkeys or pw's are the only lock being used to protect things. Well from a security implementation standpoint...I assume someone either you on the rust end or someone on the yubikey end is already a weak link and your password is probably already compromised. But thats ok.
TBH from a security standpoint, yeah I expect your PW to be correct, but I also do assume that its not secret. Its only part of the parcel. I expect about a dozen other metrics to be correct too pending on how secure you need your stuff or how important the security is. If you don't tick most of these if not all of these boxes. I don't care if your password or passkey is right. Your not getting in.
The pincode>push button on yubikeys is part of this. Your IP, your device ID, your TPM trusted data paths, the time of day your trying to make access, the frequency of it, the country of origin, the target your trying to get into, the wifi you are accessing this via....are all part of this. Stop being so old school about security and propping it up off one point of failure.
Now this bit is going to be the real hard biscuit to bite for alot of folks, but Yes I get that its harder in web because you probably don't have the physical end of things under enough control that you can use those for your security checks/metrics as they are under user control, but maybe don't store super piss off secret data that needs to stay secret in systems like that. If your web app gets to X level of personal data/could be involved in X level of harm to society or its users if breached. Don't let people sign up without mfa, hardware keys and so on. Force users to detail more info about their fixed locations and regular usage areas and judge their access security on that.
tldr I dont care if your PW is compromised its 1/X keys needed. I assume its compromised. I dont assume all other X keys are tho.